On Monday, researchers began sounding the alarm about Heartbleed (CVE-2014-0160), a newly discovered encryption vulnerability that seriously undermines the underlying security of an estimated five hundred thousand websites, including many of the Internet's most popular, such as Yahoo, Flickr and OkCupid. Hackers exploiting the threat could conceivably steal login information, credit card numbers and any other highly sensitive data being sent between your browser and the affected sites.
However, what's not clear, and probably never will be, is which sites were actually subject to malicious activities and what data was stolen. Nor is easy for the average Internet user to determine which sites were even vulnerable in the first place. This puts us in the unfortunate position of recommending that you change all of your passwords for every website, but that you only do it for a given site once it's gotten a security upgrade to prevent future snooping.
Sounds like a massive, complicated undertaking? It is. But that is a reflection of how serious this threat is.
Unfortunately, not all the information about Heartbleed has been easy to read or understand, even for seasoned Internet veterans. Let’s take a closer look at Heartbleed, minus the heavy technical jargon, so you can get a better sense for what happened.
What is Heartbleed?
An incredibly large number of websites, email servers and virtual private networks (VPNs) use security software called OpenSSL to shield communications between your computer and their servers. When you log in to Yahoo, for example, OpenSSL prevents an attacker from intercepting the transmitted data to capture your login and password. The OpenSSL software library is a major part of what keeps much of the world’s private data safe across the web — it's the heart of online security, if you will.
Heartbleed is a major security hole in multiple versions of OpenSSL resulting in temporary information being stored in a site's server memory after it has been unencrypted. That server memory can be read by anyone on the Internet. The bug lets attackers sneak a peek at your login credentials and also can give them the encryption key they need to unlock any other sensitive information being stored and transmitted. It can even give hackers the ability to impersonate websites in the future using those stolen encryption keys.
If you have a pretty strong understanding of computing technology, full details about the Heartbleed bug are available at heartbleed.com.
How can I stay protected?
The good news is that there is no evidence that hackers have used the Heartbleed exploit to steal data. That's not to say an attack hasn't happened, just that it would be very difficult to determine if one did. But you can bet the attacks will start ramping up now that the exploit is widely known.
Unfortunately, even the best anti-virus software won’t protect against Heartbleed. The only way to stay safe—for now—is to avoid sites that have yet to patch the OpenSSL Heartbleed bug. Hopefully, the browser developers will quickly create a feature that will flag you when visiting a site that is still vulnerable.
Once a site has been fixed, you should change your password as soon as possible. A password management program will help you create and manage unique passwords for every site.
How do I know what sites are still affected?
Many major companies (including Yahoo) have already fixed the exploit on their end, but there are still plenty of vulnerable sites out there. Techlicious recommends you use the Heartbleed Test website to check if your favorite sites or servers are still at risk. If they are, stay clear of entering sensitive information until they get the OK. And then, change your password. And for sites like Yahoo, that are known to have been on the danger list, change those passwords as well.
Techlicious.com is one of the sites still on the vulnerable list. But since we don't have logins for most users, there is little need for concern. However, this does impact our staff logins and we are working to quickly resolve the issue. [UPDATE 4/9/14: The Techlicious server has been patched and is no longer vulnerable]
Ask in the comments below and we'll do our best to answer them based on the latest information.